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1 DETAILED ACTION 

2 

3 Claims 1 - 12, 14 - 22. 24 - 29 are pending. 

4 All objections and rejections not set forth below have been withdrawn. 
5 

6 Specification 

7 

8 The specification is objected to as failing to provide proper antecedent basis for 

9 the claimed subject matter. See 37 CFR 1 .75(d)(1) and MPEP § 608.01 (o). Correction 

10 of the following is required: 

1 1 Amendments to claims 1 - 1 2, 1 4 - 22, 24 - 29 add new recitations substantially 

1 2 comprising: "the request includes a first portion of safe data, and a second portion of 

1 3 data" , "wherein the l-ITTP inquest includes a safe portion and a user input portion that 

1 4 includes data that was not generated by the server computer ", "refraining from serving 

15 a response to any portion of the request if. . . ", "refusing to dynamically render a 

1 6 response to any portion of the HTTP request", and "evaluating only the second portion 

1 7 of the request'. The specification fails to provide proper antecedent basis for these 

18 recitations. 
19 
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1 Claim Objections 

2 

3 Claim 8 is objected to because of the following informalities: A comma should 

4 precede the clause "if the input data includes a script construct", as it is presumed that 

5 the applicant wishes for this conditional to modify the action of refusing to render a 

6 response. Appropriate correction is required. 
7 

8 



9 Claim Rejections • 35 USC §112 

10 

1 1 The following is a quotation of the first paragraph of 35 U.S.C. 112: 

1 2 The specification shall contain a written description of the invention, and of the manner and process of 

1 3 making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 

14 art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 

1 5 set forth the best mode contemplated by the inventor of carrying out his invention! 
16 

17 Claims 1 - 12, 14 - 22, 24 - 29 are rejected under 35 U.S.C. 112, first 



18 paragraph, as failing to comply with the written description requirement. The 

1 9 claim(s) contains subject matter which was not described in the specification in such a 

20 way as to reasonably convey to one skilled in the relevant art that the inventor(s), at the 

21 time the application was filed, had possession of the claimed invention. Applicant has 

22 not pointed out where the new (or amended) claim is supported, nor does there appear 

23 to be a written description of the claim limitations in the application as filed (see above 

24 objection to the specification). 

25 
26 
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1 The following is a quotation of the second paragraph of 35 U.S.C. 112: 

2 The specification shall conclude with one or more claims particularly pointing out and distinctly 

3 claiming the subject matter which the applicant regards as his invention. 

4 

5 Claims 1 - 12, 14 - 22, 24 - 29 are rejected under 35 U.S.C. 112, second 

6 paragraph, as being indefinite for failing to particularly point out and distinctly 

7 claim the subject matter which applicant regards as the invention. 

8 Specifically, claims 1, 8, and 18, each comprise the limitation (or essentially 



9 similar), "refraining from serving a response to any portion of the request". However, 

10 the examiner notes that the applicant, in contradiction, subsequently claims (see claims 

11 1 , 7, 8, 18) that the server computer, in response to a portion of a request, serves an 

12 error response to the client. Accordingly, these recitations render the scope of these 

13 claims unclear. 



14 Depending claims are rejected by virtue of dependency. 
15 

1 6 Claim Rejections - 35 USC § 103 

17 

1 8 The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 

19 obviousness rejections set forth in this Office action: 

20 (a) A patent may not be obtained though the invention is not identically disclosed or described as set 

21 forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 

22 the prior art are such that the subject matter as a whole would have been obvious at the time the 

23 invention was made to a person having ordinary skill in the art to which said subject matter pertains. 

24 Patentability shall not be negatived by the manner in which the invention was made. 
25 

26 Claims 1 - 12, 14 - 22, 24 - 29 are rejected under 35 U.S.C. 103(a) as being 

27 unpatentable over CERT CC, "CERT Advisory CA-2000-02 Malicious HTML Tags 

28 Embedded in Client Web Requests" (CERT-Advisory) in view of CERT CC, 
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1 "Understanding Malicious Content Mitigation for Web Developers" (CERT) in view 

2 of Wheeler, Secure Programming for Linux and Unix HOWTO in view of Sanin, 

3 "Web Service Security Filter", U.S. Patent Publication 2004/007381 1 . 
4 

5 Regarding claim 1 , CERT-Advisory discloses: 

6 receiving a request from a user computer, wlierein the request includes a first 

7 portion of safe data, and a second portion of data derived from an outside source 

8 (CERT-Advisory, page 1 , Systems Affected, Overview; page 2, pars. 2-4). 

9 CERT-Advisory discloses, In general, that the Server site attempts to prevent the 

1 0 site from being abused or attacked by malicious data ("a marker of active content") 

1 1 within the request (CERT-Advisory, page 5, Solutions for Web Page Developers and 

12 Web Site Administrators). CERT-Advisory does not explicitly say determining if the 

1 3 request from the user computer includes a marker of active content identified in a list of 

14 active markers. Instead, CERT-Advisory directs the readers' attention to the detailed 

15 solution (found in CERT) for preventing cross-site scripting attacks in response to 

16 receiving HTTP requests comprising malicious scripts. 

17 CERT discloses the specifics for mitigating cross-site scripting attacks by 

18 evaluating the incoming data requests against a list of markers of active content that 

19 woud indicate the presence of malicious scripts (CERT, page 1 , par. 1 , Problem 

20 Summary, pars. 2-3; page 2, Mitigation Summary; page 3, Identifying the Special 

21 Characters; pages 4 and 5, Filtering Dynamic Content). 
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1 It would have been obvious to one of ordinary skill in the art to combine the 

2 teachings of CERT with the teachings of CERT-Advisory. This would have been 

3 obvious because CERT-Advisory explicitly says to include the reference of CERT so as 

4 to successfully mitigate cross-site scripting attacks (CERT-Advisory, page 5, par. 6). 

5 The combination of CERT-Advisory and CERT discloses refraining from serving 

6 a response to a portion of ttie request if ttie request includes tfie marlaer of active 

7 content to dynamically render a response to the HTTP request if the input data includes 

8 a script construct (CERT-Advisory, pg. 1 , "Overview"; pg. 2, "Malicious code sent 

9 inadvertently by a client for itself; CERT, pg. 1 , par. 1 ; pg. 2-4, "Mitigation Summary"). 

10 Herein, prior art discloses that if the input data includes a script construct, refusing to 

1 1 execute HTTP request and thereby preventing the cross-site scripting attack if the input 

12 data includes a script construct. Malicious HTTP requests are not executed. 

1 3 The combination does not disclose informing the user that a marker of active 

1 4 content from the list of active markers has been discovered in the request and 

1 5 requesting that the user computer resubmit a request and subsequently serving a 

1 6 response to the request resubmitted by the user computer. . 

17 Wheeler, in response to the problem of cross-site scripting attacks and building 

18 upon the prior art teachings of CERT (Wheeler, 4.10, 6.15, 6.15.1 - 6.15.2.1, 8.5), 

1 9 teaches that a system in practice may forbid markers of active content and send 

20 informative error messages to users who include them in requests. A system could 

21 notify the user of ways to correct such issues (Wheeler, 4. 1 1 .6, par. 2; 4. 1 1 . 1 ; 4. 1 1 .3, 

22 par. 5; 4.12, par. 5). 
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1 It would have been obvious to one of ordinary skill in the art to employ the 

2 teachings of Wheeler along with the teachings of the combination of CERT and CERT- 

3 Advisory. This would have been obvious because one of ordinary skill in the art would 

4 have been motivated by the explicit suggestions found within the prior art when 

5 practically implementing a solution to mitigate malicious scripting attacks. 

6 The examiner notes that the applicant adds the following recitation, which does 

7 not appear to be explicitly recited within the prior art combination. Namely, the 

8 combination does not appear to explicitly recite maintaining the list of active markers "at 

9 a server". 

1 0 Sanin, however, discloses that a list of active markers should be maintained at a 



1 1 server (fig. 1 :1 02), thus allowing a server to continually protect itself with an updated list 

1 2 that reflects newly discovered types of web attacks (par. 1 6). Sanin discloses that his 

1 3 method of protection against cross site scripting attacks is an enhancement to the 

14 known prior art methods of request validation and/or encoding, as disclosed within the 

1 5 prior art combination (par. 1 4, 1 5). One of ordinary skill in the art would have been 

16 motivated to employ the teachings of Sanin within the combination, as one of ordinary 

1 7 skill in the art would have been motivated by Sanin's teachings of an enhancement. 

1 8 Furthermore the combination enables: 

1 9 refraining from serving a response to any portion of the request (Sanin, par. 38, 

20 39; Wheeler, 4.11.6, par. 2; 4.11.1; 4.11.3, par. 5; 4.12. par. 5). 
.21 
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1 Regarding claim 8, it comprises substantially the same limitations as claim 1 , and 

2 it is rejected, at least, for the same reasons. 
3 

4 Regarding claim 9, the combination disclose: 

5 at least one of: receiving a query string that includes at least one query string 



6 variable; receiving a cookie; receiving one or more headers in the HTTP request; and 

7 receiving one or more form fields (CERT-Advisory, page 2, pars. 2-5; CERT, page 2, 

8 Mitigation Summary). 
9 

10 Regarding claim 10, the combination disclose: 

1 1 at least one of: searching the HTTP request for one or more character 

1 2 combinations that correspond to a script construct; searching the HTTP request for an 

1 3 event that includes a script construct; searching server variables that derive input data 

1 4 from another source; and searching the HTTP request for an expression that includes a 

1 5 script construct (CERT, page 3, Identifying the Special Characters; page 4, Filtering 

16 Dynamic Content). 
17 



1 8 Regarding claim 1 1 , the combination disclose: 

1 9 searching the input data for a script construct (CERT, page 3, Identifying the 

20 Special Characters; page 4, Filtering Dynamic Content). 
21 

22 Regarding claim 12, the combination disclose: 
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1 searching for patterns associated with scripts (CERT, page 3, Identifying the 

2 Special Characters; page 4, Filtering Dynamic Content). 
3 

4 Regarding claim 14, the combination disclose: 

5 wherein preventing the cross-site scripting attack if the input data includes a 



6 schpt construct further comprises logging an event at the server computer (Wheeler, 

7 8. 1 ; 1 0.9; 1 0. 1 1 ). Herein, the combination disclose that a server generates a detailed 

8 log of events regarding system successes and failures, in addition to sending a 

9 response back to the user regarding the event - such as why there was a failure. 
10 



1 1 Regarding claim 15, the combination of CERT^Advisory, CERT, Hidalgo, and 

12 Fielding disclose: 

1 3 encoding the user input including the script construct to render the script inert 

14 (CERT-Advisory, page 2, par. 1 ; page 5, pars. 3-6; CERT, page 3, Identifying the 

1 5 Special Characters; page 4, par. 2). 
16 

17 Regarding claim 16, the combination of CERT-Advisory, CERT, Hidalgo, and 

18 Fielding disclose: 

1 9 evaluating the HTTP request to determine in the input data includes a marker of 

20 active content (CERT, page 2, Mitigation Summary - particularly steps 2 and 4; page 3, 

21 Identifying the Special Characters). 
22 
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1 Regarding claim 17, the combination of CERT-Advisory, CERT, Hidalgo, and 

2 Fielding disclose: 

3 determining if the marker of active content is within a particular element, wherein 

4 the marker of active content is harmful only when rendered within the particular element 

5 (CERT, page 2, Mitigation Summary - particularly steps 2 and 4 (identifying special 

6 characters, filtering specific characters in dynamic elements; page 3, Identifying the 

7 Special Characters). 
8 



9 Regarding claims 2 - 3, 5 - 7, 1 8 - 22, 24, and 25, they are method and method 

1 0 embodied on computer readable medium claims corresponding to the system claims 1 - 

11 17, and they are rejected, at least, for the same reasons. 
12 

1 3 Regarding claim 4, the combination enables: evaluating only the second portion 



14 of the request that includes the data derived from an outside source (CERT, page 2, 

15 Mitigation Summary; Wheeler, sect. 4, par. 1,12). The combination enables the need 

16 to evaluate data comprising untrusted input that could be transmitted in an HTTP 

17 request. 
18 

19 Regarding claim 26, the combination enables: 

20 wherein determining if the request from the user computer includes a marker of 

21 active content comprises evaluating only user input fields of the request (CERT, page 2, 

22 Mitigation Summary; Wheeler, sect. 4, par. 1,12). The combination enables the need 
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1 to only evaluate data comprising untrusted input that could be transmitted in an HTTP 

2 request. 
3 

4 Regarding claim 27, the combination enables maintaining a "highly customizable" 

5 list of markers of active content (Cert, pg. 4, 5; Sanin, par. 16) including inactivating 

6 markers in the list of mariners (Sanin, table 4). 
7 

8 Regarding claim 28, the combination enables: 

9 wherein evaluating the HTTP request to determine if the input data includes a 



1 0 script construct comprises evaluating the HTTP request for an event (Wheeler, sect. 

11 4.1 1 .3, box of attack types). Herein, the combination teaches to test for events, such as 

12 'onmousover' events, it does not disclose onclick events, however, one of ordinary skill 

13 in the art would have recognized that an 'onclick' events similarly introduce scripts such 
,14 as 'onmouseover' events (applicant may refer to evidence such as W3C 

1 5 Recommendation, "Scripts") and would have been motivated to test for malicious 

16 constructs. 
17 

18 Regarding claim 29, the combination discloses: 

19 wherein evaluating the HTTP request to determine if the input data includes a 

20 script construct comprises evaluating the HTTP request for an element size expression 

21 (Wheeler, sect. 4. 1 1 .3, box of attack types). 
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1 

2 Response to Arguments 

3 

4 Applicant's arguments with respect to claims 1 - 29 have been considered but are 

5 moot in view of the new ground(s) of rejection. 
6 

7 Conclusion 
8 

9 The prior art made of record and not relied upon is considered pertinent to 

10 applicant's disclosure: 
11 

1 2 See Notice of References Cited 

13 

14 A shortened statutory period for reply to this final action is set to expire THREE 

1 5 MONTHS from the mailing date of this action. In the event a first reply is filed within 

16 TWO MONTHS of the mailing date of this final action and the advisory action is not 

1 7 mailed until after the end of the THREE-MONTH shortened statutory period, then the 

18 shortened statutory period will expire on the date the advisory action is mailed, and any 

1 9 extension fee pursuant to 37 CFR 1 .1 36(a) will be calculated from the mailing date of 

20 the advisory action. In no event, however, will the statutory period for reply expire later 

21 than SIX MONTHS from the date of this final action. 
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1 Any inquiry concerning this communication or earlier communications from the 

2 examiner should be directed to Jeffery Williams whose telephone number is (571 ) 272- 

3 7965. The examiner can normally be reached on 8:30-5:00. 

4 If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

5 supervisor, Emmanuel Moise can be reached on (571) 272-3865. The fax phone 

6 number for the organization where this application or proceeding is assigned is 571 - 

7 273-8300. 

8 Information regarding the status of an application may be obtained from the 

9 Patent Application Information Retrieval (PAIR) system. Status information for 

10 published applications may be obtained from either Private PAIR or Public PAIR. 

1 1 Status information for unpublished applications is available through Private PAIR only. 

12 For more information about the PAIR system, see http;//pair-direct.uspto.gov. Should 

1 3 you have questions on access to the Private PAIR system, contact the Electronic 

1 4 Business Center (EBC) at 866-21 7-91 97 (toll-free). If you would like assistance from a 

1 5 USPTO Customer Service Representative or access to the automated information 

1 6 system, call 800-786-91 99 (IN USA OR CANADA) or 571 -272-1 000. 
17 

EMMANUEL L. MOISE 
SUPERVISORY PATENT EXAMINER 
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22 



